From 8ddfdf746b8d1abe685bdc0971194382e376044c Mon Sep 17 00:00:00 2001 From: Baptiste Grenier Date: Fri, 11 Oct 2024 17:36:40 +0200 Subject: [PATCH 01/24] Import mega-linter.yml. Fix #147. --- .github/workflows/mega-linter.yml | 91 +++++++++++++++++++++++++++++++ 1 file changed, 91 insertions(+) create mode 100644 .github/workflows/mega-linter.yml diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml new file mode 100644 index 0000000000..5da280d30b --- /dev/null +++ b/.github/workflows/mega-linter.yml @@ -0,0 +1,91 @@ +--- +# MegaLinter GitHub Action configuration file +# More info at https://megalinter.io +name: MegaLinter + +on: + # Trigger mega-linter at every push. Action will also be visible from Pull Requests to main + push: # Comment this line to trigger action only on pull-requests (not recommended if you don't pay for GH Actions) + pull_request: + branches: [main] + +env: # Comment env block if you don't want to apply fixes + # Apply linter fixes configuration + APPLY_FIXES: all # When active, APPLY_FIXES must also be defined as environment variable (in github/workflows/mega-linter.yml or other CI tool) + APPLY_FIXES_EVENT: pull_request # Decide which event triggers application of fixes in a commit or a PR (pull_request, push, all) + APPLY_FIXES_MODE: pull_request # If APPLY_FIXES is used, defines if the fixes are directly committed (commit) or posted in a PR (pull_request) + +concurrency: + group: ${{ github.ref }}-${{ github.workflow }} + cancel-in-progress: true + +jobs: + megalinter: + name: MegaLinter + runs-on: ubuntu-latest + permissions: + # Give the default GITHUB_TOKEN write permission to commit and push, comment issues & post new PR + # Remove the ones you do not need + contents: read + issues: write + pull-requests: write + steps: + # Git Checkout + - name: Checkout Code + uses: actions/checkout@v4 + with: + token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }} + fetch-depth: 0 # If you use VALIDATE_ALL_CODEBASE = true, you can remove this line to improve performances + + # MegaLinter + - name: MegaLinter + id: ml + # You can override MegaLinter flavor used to have faster performances + # More info at https://megalinter.io/flavors/ + uses: oxsecurity/megalinter@v8 + env: + # All available variables are described in documentation + # https://megalinter.io/configuration/ + VALIDATE_ALL_CODEBASE: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} # Validates all source when push on main, else just the git diff with main. Override with true if you always want to lint all sources + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # ADD YOUR CUSTOM ENV VARIABLES HERE OR DEFINE THEM IN A FILE .mega-linter.yml AT THE ROOT OF YOUR REPOSITORY + # DISABLE: COPYPASTE,SPELL # Uncomment to disable copy-paste and spell checks + + # Upload MegaLinter artifacts + - name: Archive production artifacts + if: success() || failure() + uses: actions/upload-artifact@v4 + with: + name: MegaLinter reports + path: | + megalinter-reports + mega-linter.log + + # Create pull request if applicable (for now works only on PR from same repository, not from forks) + - name: Create Pull Request with applied fixes + id: cpr + if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) && !contains(github.event.head_commit.message, 'skip fix') + uses: peter-evans/create-pull-request@v6 + with: + token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }} + commit-message: "[MegaLinter] Apply linters automatic fixes" + title: "[MegaLinter] Apply linters automatic fixes" + labels: bot + - name: Create PR output + if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) && !contains(github.event.head_commit.message, 'skip fix') + run: | + echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}" + echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}" + + # Push new commit if applicable (for now works only on PR from same repository, not from forks) + - name: Prepare commit + if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'commit' && github.ref != 'refs/heads/main' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) && !contains(github.event.head_commit.message, 'skip fix') + run: sudo chown -Rc $UID .git/ + - name: Commit and push applied linter fixes + if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'commit' && github.ref != 'refs/heads/main' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) && !contains(github.event.head_commit.message, 'skip fix') + uses: stefanzweifel/git-auto-commit-action@v4 + with: + branch: ${{ github.event.pull_request.head.ref || github.head_ref || github.ref }} + commit_message: "[MegaLinter] Apply linters fixes" + commit_user_name: megalinter-bot + commit_user_email: nicolas.vuillamy@ox.security From 80742f377168b968417b94c9d525c5782c2537d9 Mon Sep 17 00:00:00 2001 From: Baptiste Grenier Date: Sat, 12 Oct 2024 13:01:04 +0200 Subject: [PATCH 02/24] Tidy up some comments --- .github/workflows/mega-linter.yml | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml index 5da280d30b..5c0f5c6b70 100644 --- a/.github/workflows/mega-linter.yml +++ b/.github/workflows/mega-linter.yml @@ -5,15 +5,17 @@ name: MegaLinter on: # Trigger mega-linter at every push. Action will also be visible from Pull Requests to main - push: # Comment this line to trigger action only on pull-requests (not recommended if you don't pay for GH Actions) + push: pull_request: branches: [main] -env: # Comment env block if you don't want to apply fixes +env: # Apply linter fixes configuration - APPLY_FIXES: all # When active, APPLY_FIXES must also be defined as environment variable (in github/workflows/mega-linter.yml or other CI tool) - APPLY_FIXES_EVENT: pull_request # Decide which event triggers application of fixes in a commit or a PR (pull_request, push, all) - APPLY_FIXES_MODE: pull_request # If APPLY_FIXES is used, defines if the fixes are directly committed (commit) or posted in a PR (pull_request) + # When active, APPLY_FIXES must also be defined as environment variable (in github/workflows/mega-linter.yml or other CI tool) + APPLY_FIXES: all + APPLY_FIXES_EVENT: pull_request + # If APPLY_FIXES is used, defines if the fixes are directly committed (commit) or posted in a PR (pull_request) + APPLY_FIXES_MODE: pull_request concurrency: group: ${{ github.ref }}-${{ github.workflow }} @@ -35,7 +37,8 @@ jobs: uses: actions/checkout@v4 with: token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }} - fetch-depth: 0 # If you use VALIDATE_ALL_CODEBASE = true, you can remove this line to improve performances + # If you use VALIDATE_ALL_CODEBASE = true, you can remove this line to improve performances + fetch-depth: 0 # MegaLinter - name: MegaLinter From 1b50056be6a9a080d30947c56ffedb1eb1be4c16 Mon Sep 17 00:00:00 2001 From: Baptiste Grenier Date: Sat, 12 Oct 2024 13:07:57 +0200 Subject: [PATCH 03/24] Tidy up some comments, bis --- .github/workflows/mega-linter.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml index 5c0f5c6b70..b4433a8569 100644 --- a/.github/workflows/mega-linter.yml +++ b/.github/workflows/mega-linter.yml @@ -11,7 +11,8 @@ on: env: # Apply linter fixes configuration - # When active, APPLY_FIXES must also be defined as environment variable (in github/workflows/mega-linter.yml or other CI tool) + # When active, APPLY_FIXES must also be defined as environment variable + # (in github/workflows/mega-linter.yml or other CI tool) APPLY_FIXES: all APPLY_FIXES_EVENT: pull_request # If APPLY_FIXES is used, defines if the fixes are directly committed (commit) or posted in a PR (pull_request) @@ -49,7 +50,8 @@ jobs: env: # All available variables are described in documentation # https://megalinter.io/configuration/ - VALIDATE_ALL_CODEBASE: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} # Validates all source when push on main, else just the git diff with main. Override with true if you always want to lint all sources + # Validates all source when push on main, else just the git diff with main. Override with true if you always want to lint all sources + VALIDATE_ALL_CODEBASE: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # ADD YOUR CUSTOM ENV VARIABLES HERE OR DEFINE THEM IN A FILE .mega-linter.yml AT THE ROOT OF YOUR REPOSITORY # DISABLE: COPYPASTE,SPELL # Uncomment to disable copy-paste and spell checks From 8cdd9895009b1332f53dacfde24bdf470c89c57b Mon Sep 17 00:00:00 2001 From: Baptiste Grenier Date: Sat, 12 Oct 2024 13:11:45 +0200 Subject: [PATCH 04/24] Shorten long lines --- .github/workflows/mega-linter.yml | 31 ++++++++++++++++++++++++++----- 1 file changed, 26 insertions(+), 5 deletions(-) diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml index b4433a8569..c75d816ee5 100644 --- a/.github/workflows/mega-linter.yml +++ b/.github/workflows/mega-linter.yml @@ -50,7 +50,8 @@ jobs: env: # All available variables are described in documentation # https://megalinter.io/configuration/ - # Validates all source when push on main, else just the git diff with main. Override with true if you always want to lint all sources + # Validates all source when push on main, else just the git diff with main. + # Override with true if you always want to lint all sources VALIDATE_ALL_CODEBASE: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # ADD YOUR CUSTOM ENV VARIABLES HERE OR DEFINE THEM IN A FILE .mega-linter.yml AT THE ROOT OF YOUR REPOSITORY @@ -69,7 +70,12 @@ jobs: # Create pull request if applicable (for now works only on PR from same repository, not from forks) - name: Create Pull Request with applied fixes id: cpr - if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) && !contains(github.event.head_commit.message, 'skip fix') + if: steps.ml.outputs.has_updated_sources == 1 && + (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == + github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' && + (github.event_name == 'push' || + github.event.pull_request.head.repo.full_name == github.repository) && + !contains(github.event.head_commit.message, 'skip fix') uses: peter-evans/create-pull-request@v6 with: token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }} @@ -77,17 +83,32 @@ jobs: title: "[MegaLinter] Apply linters automatic fixes" labels: bot - name: Create PR output - if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) && !contains(github.event.head_commit.message, 'skip fix') + if: steps.ml.outputs.has_updated_sources == 1 && + (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == + github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' && + (github.event_name == 'push' || + github.event.pull_request.head.repo.full_name == github.repository) && + !contains(github.event.head_commit.message, 'skip fix') run: | echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}" echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}" # Push new commit if applicable (for now works only on PR from same repository, not from forks) - name: Prepare commit - if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'commit' && github.ref != 'refs/heads/main' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) && !contains(github.event.head_commit.message, 'skip fix') + if: steps.ml.outputs.has_updated_sources == 1 && + (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == + github.event_name) && env.APPLY_FIXES_MODE == 'commit' && github.ref + != 'refs/heads/main' && (github.event_name == 'push' || + github.event.pull_request.head.repo.full_name == github.repository) && + !contains(github.event.head_commit.message, 'skip fix') run: sudo chown -Rc $UID .git/ - name: Commit and push applied linter fixes - if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'commit' && github.ref != 'refs/heads/main' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) && !contains(github.event.head_commit.message, 'skip fix') + if: steps.ml.outputs.has_updated_sources == 1 && + (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == + github.event_name) && env.APPLY_FIXES_MODE == 'commit' && github.ref + != 'refs/heads/main' && (github.event_name == 'push' || + github.event.pull_request.head.repo.full_name == github.repository) && + !contains(github.event.head_commit.message, 'skip fix') uses: stefanzweifel/git-auto-commit-action@v4 with: branch: ${{ github.event.pull_request.head.ref || github.head_ref || github.ref }} From 8761091d599b3373fbe01acac3c3b3eaaafb693f Mon Sep 17 00:00:00 2001 From: Baptiste Grenier Date: Sun, 13 Oct 2024 10:39:56 +0200 Subject: [PATCH 05/24] Switch megalinter to documentation flavor --- .github/workflows/mega-linter.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml index c75d816ee5..63cbfb7b4d 100644 --- a/.github/workflows/mega-linter.yml +++ b/.github/workflows/mega-linter.yml @@ -46,7 +46,7 @@ jobs: id: ml # You can override MegaLinter flavor used to have faster performances # More info at https://megalinter.io/flavors/ - uses: oxsecurity/megalinter@v8 + uses: oxsecurity/megalinter/flavors/documentation@v8 env: # All available variables are described in documentation # https://megalinter.io/configuration/ From 4ad8d0c53a68cc9a53e54f9899ee5c85f570b267 Mon Sep 17 00:00:00 2001 From: Baptiste Grenier Date: Sun, 13 Oct 2024 10:57:58 +0200 Subject: [PATCH 06/24] Try to address linte reports --- .github/workflows/build.yml | 2 ++ .github/workflows/build_pr_preview.yml | 2 ++ .github/workflows/check-links.yml | 2 ++ .github/workflows/lint.yml | 2 ++ 4 files changed, 8 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e6506f88bb..b7dce98df5 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -5,6 +5,8 @@ name: Build documentation on: [pull_request] +permissions: read-all + jobs: build: name: Build with Hugo diff --git a/.github/workflows/build_pr_preview.yml b/.github/workflows/build_pr_preview.yml index 287d649a26..4315a0f2a1 100644 --- a/.github/workflows/build_pr_preview.yml +++ b/.github/workflows/build_pr_preview.yml @@ -8,6 +8,8 @@ on: # Run when label is added or present and when pushing to the PR types: [labeled, opened, synchronize] +permissions: read-all + jobs: build_preview: # Do not run on forks, and only if "safe for preview" label is set diff --git a/.github/workflows/check-links.yml b/.github/workflows/check-links.yml index 97a6129073..135493ae48 100644 --- a/.github/workflows/check-links.yml +++ b/.github/workflows/check-links.yml @@ -7,6 +7,8 @@ on: # run on Sundays morning - cron: '32 9 * * 0' +permissions: read-all + jobs: markdown-link-check: name: Check links using markdown-link-check diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index e603031318..4e6cb4c4d6 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -4,6 +4,8 @@ name: Lint on: pull_request: +permissions: read-all + jobs: super-lint: name: Lint with Super-Linter From e4e918d84dc570f31bf00f6e9d31d94748d15872 Mon Sep 17 00:00:00 2001 From: Baptiste Grenier Date: Sun, 13 Oct 2024 10:59:46 +0200 Subject: [PATCH 07/24] Disable COPYPASTE and SPELL --- .github/workflows/mega-linter.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml index 63cbfb7b4d..e646d1ba64 100644 --- a/.github/workflows/mega-linter.yml +++ b/.github/workflows/mega-linter.yml @@ -55,7 +55,7 @@ jobs: VALIDATE_ALL_CODEBASE: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # ADD YOUR CUSTOM ENV VARIABLES HERE OR DEFINE THEM IN A FILE .mega-linter.yml AT THE ROOT OF YOUR REPOSITORY - # DISABLE: COPYPASTE,SPELL # Uncomment to disable copy-paste and spell checks + DISABLE: COPYPASTE,SPELL # Upload MegaLinter artifacts - name: Archive production artifacts From 56c86954233ab9357d11c37569aa67c58c47d8b8 Mon Sep 17 00:00:00 2001 From: Baptiste Grenier Date: Sun, 13 Oct 2024 11:08:12 +0200 Subject: [PATCH 08/24] Configure secretlint --- .github/linters/.secretlintrc.json | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 .github/linters/.secretlintrc.json diff --git a/.github/linters/.secretlintrc.json b/.github/linters/.secretlintrc.json new file mode 100644 index 0000000000..7727823ea9 --- /dev/null +++ b/.github/linters/.secretlintrc.json @@ -0,0 +1,11 @@ +{ + "rules": [ + { + "id": "@secretlint/secretlint-rule-preset-recommend" + }, + { + "id": "@secretlint/secretlint-rule-basicauth", + "allows": [ "/HOSTNAME:SECRET/i" ] + } + ] +} From 25dfe3a69c17f458f8bb08aae025c9fe8f73668c Mon Sep 17 00:00:00 2001 From: Baptiste Grenier Date: Sun, 13 Oct 2024 11:13:27 +0200 Subject: [PATCH 09/24] Disable GRYPE --- .github/workflows/mega-linter.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml index e646d1ba64..5938fca25d 100644 --- a/.github/workflows/mega-linter.yml +++ b/.github/workflows/mega-linter.yml @@ -55,7 +55,7 @@ jobs: VALIDATE_ALL_CODEBASE: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # ADD YOUR CUSTOM ENV VARIABLES HERE OR DEFINE THEM IN A FILE .mega-linter.yml AT THE ROOT OF YOUR REPOSITORY - DISABLE: COPYPASTE,SPELL + DISABLE: COPYPASTE,SPELL,REPOSITORY_GRYPE # Upload MegaLinter artifacts - name: Archive production artifacts From 9403e9b2aa79048a38cff2b4901ea70a41257d8e Mon Sep 17 00:00:00 2001 From: Baptiste Grenier Date: Sun, 13 Oct 2024 11:18:57 +0200 Subject: [PATCH 10/24] Gitleaks only changes for PR and for everything for the rest --- .github/workflows/mega-linter.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml index 5938fca25d..c006127fcd 100644 --- a/.github/workflows/mega-linter.yml +++ b/.github/workflows/mega-linter.yml @@ -56,6 +56,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # ADD YOUR CUSTOM ENV VARIABLES HERE OR DEFINE THEM IN A FILE .mega-linter.yml AT THE ROOT OF YOUR REPOSITORY DISABLE: COPYPASTE,SPELL,REPOSITORY_GRYPE + REPOSITORY_GITLEAKS_PR_COMMITS_SCAN: ${{ github.event_name == 'pull_request' }} # Upload MegaLinter artifacts - name: Archive production artifacts From 8a3fdb9aabac2d4d44e86b85179b365fbbb16812 Mon Sep 17 00:00:00 2001 From: Baptiste Grenier Date: Sun, 13 Oct 2024 11:22:32 +0200 Subject: [PATCH 11/24] Update exclusions --- .github/workflows/mega-linter.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml index c006127fcd..f528dcdbd4 100644 --- a/.github/workflows/mega-linter.yml +++ b/.github/workflows/mega-linter.yml @@ -55,7 +55,8 @@ jobs: VALIDATE_ALL_CODEBASE: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # ADD YOUR CUSTOM ENV VARIABLES HERE OR DEFINE THEM IN A FILE .mega-linter.yml AT THE ROOT OF YOUR REPOSITORY - DISABLE: COPYPASTE,SPELL,REPOSITORY_GRYPE + DISABLE: COPYPASTE,SPELL + DISABLE_LINTERS: REPOSITORY_GRYPE,REPOSITORY_TRIVY REPOSITORY_GITLEAKS_PR_COMMITS_SCAN: ${{ github.event_name == 'pull_request' }} # Upload MegaLinter artifacts From 820c18d36e38fbe425f258f8be6d6c7566e26474 Mon Sep 17 00:00:00 2001 From: Baptiste Grenier Date: Sun, 13 Oct 2024 11:25:17 +0200 Subject: [PATCH 12/24] Harden more top-level permissions --- .github/workflows/delete_pr_preview.yml | 2 ++ .github/workflows/deploy_pr_preview.yml | 2 ++ .github/workflows/mega-linter.yml | 2 ++ .github/workflows/spelling.yml | 2 ++ 4 files changed, 8 insertions(+) diff --git a/.github/workflows/delete_pr_preview.yml b/.github/workflows/delete_pr_preview.yml index 56459927ee..17c16b4fab 100644 --- a/.github/workflows/delete_pr_preview.yml +++ b/.github/workflows/delete_pr_preview.yml @@ -6,6 +6,8 @@ on: # Run when label is removed or pull request closed types: [unlabeled, closed] +permissions: read-all + jobs: delete_preview: # Do not run on forks, and only if "safe for preview" label is set diff --git a/.github/workflows/deploy_pr_preview.yml b/.github/workflows/deploy_pr_preview.yml index 8de352d305..bd5ac36fa6 100644 --- a/.github/workflows/deploy_pr_preview.yml +++ b/.github/workflows/deploy_pr_preview.yml @@ -13,6 +13,8 @@ on: workflows: ["Build pull request preview"] types: [completed] +permissions: read-all + jobs: deploy_pr_preview: # Only run if PR preview build was successful diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml index f528dcdbd4..164bc733f9 100644 --- a/.github/workflows/mega-linter.yml +++ b/.github/workflows/mega-linter.yml @@ -9,6 +9,8 @@ on: pull_request: branches: [main] +permissions: read-all + env: # Apply linter fixes configuration # When active, APPLY_FIXES must also be defined as environment variable diff --git a/.github/workflows/spelling.yml b/.github/workflows/spelling.yml index 79a299bde0..f972f437a5 100644 --- a/.github/workflows/spelling.yml +++ b/.github/workflows/spelling.yml @@ -74,6 +74,8 @@ on: types: - "created" +permissions: read-all + jobs: spelling: name: Check Spelling From 846a6f2867bdfe05b9a296558161a56c72be94c5 Mon Sep 17 00:00:00 2001 From: Baptiste Grenier Date: Sun, 13 Oct 2024 11:27:28 +0200 Subject: [PATCH 13/24] Fix secretlint conf --- .github/linters/.secretlintrc.json | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/.github/linters/.secretlintrc.json b/.github/linters/.secretlintrc.json index 7727823ea9..51cbba75cb 100644 --- a/.github/linters/.secretlintrc.json +++ b/.github/linters/.secretlintrc.json @@ -1,11 +1,13 @@ { "rules": [ { - "id": "@secretlint/secretlint-rule-preset-recommend" - }, - { - "id": "@secretlint/secretlint-rule-basicauth", - "allows": [ "/HOSTNAME:SECRET/i" ] + "id": "@secretlint/secretlint-rule-preset-recommend", + "rules": [ + { + "id": "@secretlint/secretlint-rule-basicauth", + "allows": [ "/HOSTNAME:SECRET/i" ] + } + ] } ] } From 2dcc2bd5e34ec8575db5628f17de2c9d99d3e61a Mon Sep 17 00:00:00 2001 From: Baptiste Grenier Date: Sun, 13 Oct 2024 11:28:50 +0200 Subject: [PATCH 14/24] Remove trufflehog, keeping gitleaks and secretlint --- .github/workflows/mega-linter.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml index 164bc733f9..aefff3b8d3 100644 --- a/.github/workflows/mega-linter.yml +++ b/.github/workflows/mega-linter.yml @@ -58,7 +58,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # ADD YOUR CUSTOM ENV VARIABLES HERE OR DEFINE THEM IN A FILE .mega-linter.yml AT THE ROOT OF YOUR REPOSITORY DISABLE: COPYPASTE,SPELL - DISABLE_LINTERS: REPOSITORY_GRYPE,REPOSITORY_TRIVY + DISABLE_LINTERS: REPOSITORY_GRYPE,REPOSITORY_TRIVY,REPOSITORY_TRUFFLEHOG REPOSITORY_GITLEAKS_PR_COMMITS_SCAN: ${{ github.event_name == 'pull_request' }} # Upload MegaLinter artifacts From 6c21ae8fb0b473ea2bea999fe61de877ad4c03a5 Mon Sep 17 00:00:00 2001 From: Baptiste Grenier Date: Sun, 13 Oct 2024 11:32:36 +0200 Subject: [PATCH 15/24] Address last too open top-level permissions --- .github/workflows/deploy.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index cfe4af1feb..8be1207240 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -10,6 +10,8 @@ on: branches: - main +permissions: read-all + jobs: deploy: name: Build using Hugo and deploy From 1313392a895ad59489fb56ac9142f649278245f1 Mon Sep 17 00:00:00 2001 From: Baptiste Grenier Date: Sun, 13 Oct 2024 11:34:42 +0200 Subject: [PATCH 16/24] Fix yaml lint --- .github/workflows/mega-linter.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml index aefff3b8d3..48757a53be 100644 --- a/.github/workflows/mega-linter.yml +++ b/.github/workflows/mega-linter.yml @@ -59,7 +59,7 @@ jobs: # ADD YOUR CUSTOM ENV VARIABLES HERE OR DEFINE THEM IN A FILE .mega-linter.yml AT THE ROOT OF YOUR REPOSITORY DISABLE: COPYPASTE,SPELL DISABLE_LINTERS: REPOSITORY_GRYPE,REPOSITORY_TRIVY,REPOSITORY_TRUFFLEHOG - REPOSITORY_GITLEAKS_PR_COMMITS_SCAN: ${{ github.event_name == 'pull_request' }} + REPOSITORY_GITLEAKS_PR_COMMITS_SCAN: ${{ github.event_name == 'pull_request' }} # Upload MegaLinter artifacts - name: Archive production artifacts From f6b2d7bf861afb32ad63e62976ab4e57241086cc Mon Sep 17 00:00:00 2001 From: Baptiste Grenier Date: Sun, 13 Oct 2024 11:40:46 +0200 Subject: [PATCH 17/24] Try to fix secret for secretlint --- .github/linters/.secretlintrc.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/linters/.secretlintrc.json b/.github/linters/.secretlintrc.json index 51cbba75cb..8284e029a6 100644 --- a/.github/linters/.secretlintrc.json +++ b/.github/linters/.secretlintrc.json @@ -5,7 +5,7 @@ "rules": [ { "id": "@secretlint/secretlint-rule-basicauth", - "allows": [ "/HOSTNAME:SECRET/i" ] + "allows": [ "/SECRET/i" ] } ] } From 06de70b9d2f23e55a7ac401436b30bb38e50b787 Mon Sep 17 00:00:00 2001 From: Baptiste Grenier Date: Sun, 13 Oct 2024 11:43:00 +0200 Subject: [PATCH 18/24] Only exclude CSPELL not all SPELL, see https://megalinter.io/latest/descriptors/spell_cspell --- .github/workflows/mega-linter.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml index 48757a53be..95ec06dda1 100644 --- a/.github/workflows/mega-linter.yml +++ b/.github/workflows/mega-linter.yml @@ -57,8 +57,8 @@ jobs: VALIDATE_ALL_CODEBASE: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # ADD YOUR CUSTOM ENV VARIABLES HERE OR DEFINE THEM IN A FILE .mega-linter.yml AT THE ROOT OF YOUR REPOSITORY - DISABLE: COPYPASTE,SPELL - DISABLE_LINTERS: REPOSITORY_GRYPE,REPOSITORY_TRIVY,REPOSITORY_TRUFFLEHOG + DISABLE: COPYPASTE + DISABLE_LINTERS: REPOSITORY_GRYPE,REPOSITORY_TRIVY,REPOSITORY_TRUFFLEHOG,SPELL_CSPELL REPOSITORY_GITLEAKS_PR_COMMITS_SCAN: ${{ github.event_name == 'pull_request' }} # Upload MegaLinter artifacts From 05ee1ccdb77a5273de163e89d24833519b62d645 Mon Sep 17 00:00:00 2001 From: Baptiste Grenier Date: Sun, 13 Oct 2024 11:53:17 +0200 Subject: [PATCH 19/24] Aheum... --- .github/linters/.secretlintrc.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/linters/.secretlintrc.json b/.github/linters/.secretlintrc.json index 8284e029a6..2567934c48 100644 --- a/.github/linters/.secretlintrc.json +++ b/.github/linters/.secretlintrc.json @@ -5,7 +5,7 @@ "rules": [ { "id": "@secretlint/secretlint-rule-basicauth", - "allows": [ "/SECRET/i" ] + "allows": [ "SECRET" ] } ] } From a5f45199fc7812ed1ce681231dd68d10c4b93bd6 Mon Sep 17 00:00:00 2001 From: Baptiste Grenier Date: Sun, 13 Oct 2024 12:01:59 +0200 Subject: [PATCH 20/24] Document gitleaks configuration --- .github/workflows/mega-linter.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml index 95ec06dda1..45387d820e 100644 --- a/.github/workflows/mega-linter.yml +++ b/.github/workflows/mega-linter.yml @@ -59,6 +59,7 @@ jobs: # ADD YOUR CUSTOM ENV VARIABLES HERE OR DEFINE THEM IN A FILE .mega-linter.yml AT THE ROOT OF YOUR REPOSITORY DISABLE: COPYPASTE DISABLE_LINTERS: REPOSITORY_GRYPE,REPOSITORY_TRIVY,REPOSITORY_TRUFFLEHOG,SPELL_CSPELL + # Scan only changes in PR, otherwise scan everything REPOSITORY_GITLEAKS_PR_COMMITS_SCAN: ${{ github.event_name == 'pull_request' }} # Upload MegaLinter artifacts From 70848fc10dd773a381ce0819444fa7bdcf4625d3 Mon Sep 17 00:00:00 2001 From: Baptiste Grenier Date: Sun, 13 Oct 2024 12:06:17 +0200 Subject: [PATCH 21/24] Try yet another way to pass option to secretlinter --- .github/linters/.secretlintrc.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/linters/.secretlintrc.json b/.github/linters/.secretlintrc.json index 2567934c48..e108f2c460 100644 --- a/.github/linters/.secretlintrc.json +++ b/.github/linters/.secretlintrc.json @@ -5,7 +5,9 @@ "rules": [ { "id": "@secretlint/secretlint-rule-basicauth", - "allows": [ "SECRET" ] + "options": { + "allows": [ "https://HOSTNAME:SECRET@nsupdate.fedcloud.eu/nic/update" ] + } } ] } From e09d1a5dd5d68e856a193ffc4e7dd3158f509f7e Mon Sep 17 00:00:00 2001 From: Baptiste Grenier Date: Sun, 13 Oct 2024 12:10:51 +0200 Subject: [PATCH 22/24] Update lychee configuration --- .github/workflows/deploy_pr_preview.yml | 3 --- .lycheeignore | 2 ++ 2 files changed, 2 insertions(+), 3 deletions(-) create mode 100644 .lycheeignore diff --git a/.github/workflows/deploy_pr_preview.yml b/.github/workflows/deploy_pr_preview.yml index bd5ac36fa6..547b214ad2 100644 --- a/.github/workflows/deploy_pr_preview.yml +++ b/.github/workflows/deploy_pr_preview.yml @@ -60,9 +60,6 @@ jobs: github_token: ${{ secrets.GITHUB_TOKEN }} # Purge older files from a given PR keep_files: false - # Accessible at http://docs.egi.eu/documentation/ - # XXX use a different domain - # cname: docs.egi.eu # Branch to push to publish_branch: pr_previews # Source directory diff --git a/.lycheeignore b/.lycheeignore new file mode 100644 index 0000000000..582d7a270a --- /dev/null +++ b/.lycheeignore @@ -0,0 +1,2 @@ +https://docs.egi.eu/documentation/* +https://megalinter.io/* From 38c3da086b50429c5097e8b48d38f41ae75b9094 Mon Sep 17 00:00:00 2001 From: Baptiste Grenier Date: Sun, 13 Oct 2024 12:16:42 +0200 Subject: [PATCH 23/24] Try yet another way to pass option to secretlinter. ;( --- .github/linters/.secretlintrc.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/linters/.secretlintrc.json b/.github/linters/.secretlintrc.json index e108f2c460..5a24d36274 100644 --- a/.github/linters/.secretlintrc.json +++ b/.github/linters/.secretlintrc.json @@ -6,7 +6,7 @@ { "id": "@secretlint/secretlint-rule-basicauth", "options": { - "allows": [ "https://HOSTNAME:SECRET@nsupdate.fedcloud.eu/nic/update" ] + "allows": [ "/secret/i" ] } } ] From fde72406c0651ed97b2b8ff6fc9e2c8bc6851727 Mon Sep 17 00:00:00 2001 From: Baptiste Grenier Date: Tue, 15 Oct 2024 16:10:30 +0100 Subject: [PATCH 24/24] Replace commit info --- .github/workflows/mega-linter.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml index 45387d820e..4a57414e4d 100644 --- a/.github/workflows/mega-linter.yml +++ b/.github/workflows/mega-linter.yml @@ -118,5 +118,5 @@ jobs: with: branch: ${{ github.event.pull_request.head.ref || github.head_ref || github.ref }} commit_message: "[MegaLinter] Apply linters fixes" - commit_user_name: megalinter-bot - commit_user_email: nicolas.vuillamy@ox.security + commit_user_name: egibot + commit_user_email: egibot@egi.eu